On Tuesday, October 1, 2024, the Promoting Digital Resilience for Businesses Act (Wbdwb) officially entered into force. This bill establishes the tasks and powers of the Minister of Economic Affairs (EZ) in the field of digital resilience of non-vital companies in the Netherlands. This law makes it possible for the government to share threat information that can be traced back to a specific company so that protective measures can be taken quickly.
From research by the Central Bureau of Statistics (CBS) shows that thousands of companies - both large and small - are victims of a cyber attack every year. The Digital Trust Center (DTC) was established in 2018 within the Ministry of Economic Affairs to make the non-vital Dutch business community more resilient against cyber threats. The DTC provides general information and advice to the business community and promotes cooperation between companies on digital resilience. However, there appeared to be an urgent need to inform individual companies about specific digital threats and vulnerabilities that can have a major impact on non-vital companies. Therefore, in 2021, the House of Representatives was informed that - in anticipation of the legal basis provided by the Wbdwb - first steps are being taken to share available specific serious threat information with affected companies through the DTC.
Every day the DTC receives information about vulnerable or hacked systems. If, after review, this information is assessed as a cyber threat to a Dutch company, the DTC proceeds to alert (notification) so that the company can take action. This involves sending an e-mail message to the company. If the information cannot be traced to a specific company, the network owner is notified. In 2023, over 140,000 notifications were made, and in 2024 the counter will be over 150,000 notifications.
Notification of companies is usually done because of a security vulnerability or configuration error found in Internet-connected devices or software. This may involve recently discovered vulnerabilities that are not yet being actively exploited, but also longer known vulnerabilities of systems that are still running older software versions. Examples include Microsoft Exchange but also so-called "edge devices" such as firewalls and VPN solutions. For example, the DTC noted several times this year about Ivanti and Fortinet. The DTC was also able to notify companies about vulnerable Qlik Sense Servers thanks to the Melissa partnership. It also happens that the DTC notifies companies in case of stolen corporate information. For example, it was able to alert Dutch organizations about leaked login credentials of corporate accounts that the international action 'Operation Endgame' found out.
The entry into force of the Wbdwb creates a new legal task for the Minister of Economic Affairs to provide the business community with company-specific serious threat information known to the government. For the vital organizations this is regulated in the Network and Information Systems Security Act (Wbni), for the non-vital business community this is now regulated in the Wbdwb. Notification of digital vulnerabilities and security breaches often requires the use of personal data such as IP addresses and employee e-mail data. The new law provides the legal basis to process this data when performing this legal task.
